I had a quick chat with the Johann as well. So for the sake of backward
compatibility we will not change this in the product and run the tests by
altering the registry entry.

@Fara: Am I correct to assume that oidc-scope-config.xml gets only affected
during the first startup ? In any case we need to document about both
configs if we haven't already.

On Sat, Aug 12, 2017 at 10:10 AM, Ashen Weerathunga <as...@wso2.com> wrote:

>
>
> On Fri, Aug 11, 2017 at 10:13 AM, Farasath Ahamed <farasa...@wso2.com>
> wrote:
>
>>
>>
>> On Friday, August 11, 2017, Omindu Rathnaweera <omi...@wso2.com> wrote:
>>
>>>
>>>
>>> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana <hasi...@wso2.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Currently I am working on making WSO2 IS OpenID Connect certified. I
>>>> ran a test on requesting essential claims from OP, when the scope is
>>>> openid. It gave an error saying unexpected claims returned.
>>>>
>>>
>>> This is not an error, but a warning correct ?
>>>
>>>
>>>> Then I inquired about this issue through the mailing list of OIDC
>>>> specifications [1]. I got some information from that as openid scope
>>>> should only return subject and issuer.
>>>>
>>>> IS 5.4.0 is supporting many claims for scope openid. They are :
>>>>               sub,email,email_verified,name,
>>>> family_name,given_name,middle_name,nickname,
>>>>               preferred_username,profile,pic
>>>> ture,website,gender,birthdate,zoneinfo,locale,
>>>>               phone_number,phone_number_veri
>>>> fied,address,street,updated_at
>>>>
>>>> I couldn't find In the OIDC specification where it mention that, openid
>>>> scope should only return subject and issuer.
>>>>
>>>
>>> AFAIK, the spec has not specifically mentioned about what we should
>>> return for the openid scope and it only mentions about the what should be
>>> returned for the default 4 scopes. However it is understandable that the
>>> test client expects a minimum set of claims when having only the openid
>>> scope. If an RP needs additional claims, it should request them with
>>> specifying additional scopes and/or essential claims. So I think the
>>> correct behavior would be to return only a minimal set of claims for the
>>> openid scope.
>>>
>>
>> Since the spec hasn't specifed this minimal set of claims one can argue
>> that it is something specific to an RP. This is how our current
>> implementation works as well. Although we could define a set of claim bound
>> to the 'openid' scope, the service provider could control what it needs
>> from the claims bound to openid scope by using requested claims
>> configuration.
>>
>> Changing 'openid' scope to return issuer and sub claims only will be a
>> breaking change for many existing providers who rely on the additional
>> claims (some of them could be mandatory in PoV of the RP)
>>
>> IMO, if the spec doesn't mandate what should be returned for openid scope
>> then we can keep our existing implementation as it is.
>>
>
> +1 to keep existing claims if it's not a spec violation. Seems like we
> have defined all the standerd claims mentioned in the spec [1] under our
> openid scope implemenation. So if someone need to remove some of claims
> they can remove it from the oidc configurations in the registry.
>
> [1] http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
>
>
>>
>>>
>>>> Can you please help me on this issue?
>>>>
>>>> Thank you.
>>>>
>>>>
>>>> [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/s
>>>> ubject.html
>>>>
>>>> --
>>>>
>>>> *Hasini Witharana*
>>>> Software Engineering Intern | WSO2
>>>>
>>>>
>>>> *Email : hasi...@wso2.com*
>>>>
>>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>>>> http://wso2.com/signature] <http://wso2.com/signature>*
>>>>
>>>
>>>
>>> Regards,
>>> Omindu.
>>>
>>> --
>>> Omindu Rathnaweera
>>> Senior Software Engineer, WSO2 Inc.
>>> Mobile: +94 771 197 211 <+94%2077%20119%207211>
>>>
>>
>>
>> --
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 <https://twitter.com/farazath619>
>> <http://wso2.com/signature>
>>
>>
>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Ashen Weerathunga*
> Software Engineer
> WSO2 Inc.: http://wso2.com
> lean.enterprise.middleware
>
> Email: as...@wso2.com
> Mobile: +94716042995 <94716042995>
> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
> <http://lk.linkedin.com/in/ashenweerathunga>*
> <http://wso2.com/signature>
>

Thanks,
Omindu

-- 
Omindu Rathnaweera
Senior Software Engineer, WSO2 Inc.
Mobile: +94 771 197 211 <+94%2077%20119%207211>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to